Primary intake
Reports go through the security form first, with security@blast-audit.com as backup contact.
Legal
Security / Vulnerability Disclosure (VDP)
How to responsibly report security vulnerabilities to Blast Audit.
Last updated: February 15, 2026
Scope
In scope: blast-audit.com, relevant subdomains, and other public web assets operated by Blast Audit.
Response targets
Acknowledgement within 72 hours. Initial triage within 7 days. No monetary bounty at this time.
Blast Audit (NEXT BP) welcomes responsible disclosure of security vulnerabilities.
Report a vulnerability
Preferred: Submit a report using this form:
Backup contact:
- Email: security [at] blast-audit.com
Please include:
- A clear description
- Steps to reproduce
- Affected URL(s)/endpoint(s)
- Impact assessment
- Proof-of-concept (text or link)
Scope
In scope:
- blast-audit.com and relevant subdomains (e.g., app / api)
- Any other public web assets owned and operated by Blast Audit
Out of scope:
- DoS/DDoS, load/stress testing
- Social engineering (phishing/vishing), physical attacks, threats/extortion
- Automated scanning that disrupts availability
- Issues in third-party services not controlled by Blast Audit
Safe Harbor
We support good-faith security research.
If you avoid data access beyond what is necessary, do not disrupt services, test only in-scope assets, and report promptly, we will not pursue legal action against you for your research.
Response targets
- Acknowledgement: within 72 hours
- Initial triage: within 7 days
No bounty
This is a vulnerability disclosure program. We do not currently offer monetary rewards.
Last updated: 2026-02-15